Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Then the following command to add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

We then we forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq

After that we re-ran the Detect Now on the server 2016 and all servers were green.

IMPORTANT NOTE:

If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

• No Comments

Do they use Auto-Mapped mailboxes?

 Had this issue with a number of staff here directly after migration from 2010 to 2016

Fix:

$mailboxes = Get-MailboxPermission -Identity * -User <username> | Select -ExpandProperty Identity

Foreach($mailbox in $mailboxes){Remove-MailboxPermission -Identity $mailbox -user <username> -AccessRights fullaccess -Confirm:$False}

Foreach($mailbox in $mailboxes){Add-MailboxPermission -Identity $mailbox -User <username> -AccessRights fullaccess -AutoMapping $false -Confirm:$False}

Wait a few mins then see if the user can open Outlook.

• No Comments

Recently we swapped a users UPN on a local domain controller ( which syncs to 365 via AAdconnect) to another domain and SMTP alias, all worked well however she could not login to Skype for Business.

Resetting Windows Credentials, Caches and registry items still would not fix this.

Most of the time this is due to the SIP Address not being correct. Little did we know this user had Lync before migrating to 365 so they had a SIP address in the attribute editor

Changing this resolved the issue

• No Comments

When adding an Exchange account to a Send and Recieve Group you could get Sync Errors occuring

published calendar 0x80004005

To check which Published Calendar the error was talking about , go into  Account settings and go to the following tab below

You can remove these if you don’t need/want them

• No Comments

Recently VMware announces some changes to their licensing policy for vSphere – http://www.vmware.com/files/pdf/products/vsphere/VMware-vSphere-vSOM-Pricing-FAQs.pdf.

The main change is that vSphere  Enterprise will not be available after June 30, 2016. After that date, partners and clients can purchase only vSphere Standard, vSphere Enterprise Plus and

vSphere with Operations Management Enterprise Plus licenses. They also slightly increased the retail prices for all range of their vSphere licenses.

Existent clients with vSphere Enterprise have two options to choose from, as follows:

• use this version till it reaches the End of Support date on March 12, 2020
• upgrade to vSphere Enterprise Plus with 50% discount (that will be available till June 25, 2016). VMware just recently published the information about 50% discount on their web-site – http://www.vmware.com/promotions/2016-vSphere-vSOM-upgrade.html.

The benefits that vSphere Enterprise Plus can bring to the virtual environment help further automate and standardise it – https://kb.vmware.com/kb/2109507.

In my opinion, these features are :

• vSphere Distributed Switch – provides a centralized interface from which you can configure, monitor and administer virtual machine access switching for the entire datacentre, – http://www.vmware.com/au/products/vsphere/features/distributed-switch.html;
• vSphere Host Profiles – configuration settings that are shared by a group of VMware vSphere hosts are stored in a host profile, – http://www.vmware.com/au/products/vsphere/features/host-profiles.html;
• vSphere Storage I/O Control – provides I/O prioritisation for virtual machines running on a group of VMware vSphere hosts that have access to a shared storage pool, – http://www.vmware.com/au/products/vsphere/features/storage-io-control.html;
• Network I/O Control – is used to configure rules and policies at the virtual machine level and to assure that I/O resources are always available for your business-critical applications, – http://www.vmware.com/au/products/vsphere/features/network-io-control.html;
• vSphere Storage DRS – continuously balances storage space usage and storage I/O load while avoiding resource bottlenecks to meet application service levels, – http://www.vmware.com/au/products/vsphere/features/storage-drs.html;
• Flash Read Cache – provides a high performance read cache layer that dramatically lowers application latency, – http://www.vmware.com/au/products/vsphere/features/flash.

The good news is that VMware gives 25 Operating System Instance (OSI) pack of vRealize Log Insight for vCenter Server is now available for free to all vCenter Server Standard customers. This product allows to centralise the log files collection from hosts and vCenter, and it helps a lot to troubleshoot issues with the virtual environment – http://www.vmware.com/au/products/vrealize-log-insight.

For the productive environment, I would suggest upgrading to a special type of vSphere license called “vSphere Remote Office Branch Office Advanced” (or ROBO) – https://www.vmware.com/files/pdf/products/vsphere/VMware-vSphere-Remote-Office-Branch-Office-Editions-Datasheet.pdf.

Instead of licensing hosts by number of sockets, ROBO is licensed by pack of 25 VMs / per one site. One pack can be redistributed among many sites. However, only one pack can be used per site. So, three packs will be enough to license all productive sites, and it gives the same benefits as Enterprise Plus license – http://www.vmware.com/products/vsphere/compare.html

Prices in AUD

• No Comments